Detected a New Flaw in Microsoft Office Equation Editor

On finding an arbitrary code execution flaw in the Equation Editor, one of the 17-year old Office components, Microsoft has removed this component. The Equation editor was used by the users for inserting the mathematical and the scientific equations in the Word documents. In the Microsoft Office suite 2007, the functionality of the editor was replaced, keeping the old component as well.

In November, a serious buffer overflow bug was detected in the Equation editor that made it easier for the attackers to attack or execute the malicious code in the documents, especially when the users are working on specially crafted documents. Instead of, making the amendments to the source code of the component the company repaired the binary file directly, in order to resolve the buffer overflow bug. And this may have been the only reason that Microsoft has lost the source code of this old component.

The Cobalt hackers and Iranian Cyberespionage group have adopted the CVE-2017-11882 vulnerability for attacking purpose. And as the result of this, a number of researchers had started their research work on the older component for finding the other vulnerabilities that allow attacks same as CVE-2017-11882.

Thus, the researchers from Check Point Software Technologies, Qihoo 360, Tencent PC Manager and ACROS Security has recently founded and reported a new vulnerability, divulged Jan. 9, named as CVE-2018-2802.

Now, Microsoft has decided not to remove the component from the Office suite completely. This is because the researchers from Check Point has illustrated that the component can be still misused by making an attempt to make the future flaw exploitation more difficult.

Microsoft has fixed a total of 59 vulnerabilities that includes critical meltdown and Spectre vulnerabilities, affecting most processors. These vulnerabilities were present in Windows, Internet Explorer, Microsoft Edge, Microsoft Office, Microsoft Office Services and Web Apps.

The Flash Player patch, released by Adobe will also be delivered by the Microsoft though Windows update.

Microsoft has temporarily halted the delivery of the Meltdown and Spectre patches to the systems along with AMD processors as these patches were causing a large number of errors, leaving the devices in unbootable state.

Microsoft will not deliver any future security updates for the computers having the incompatible versions of antivirus products, until the antivirus products either get updated to the compatible one or uninstalled. This incompatibility of the antivirus programs with the patches can cause crashing in the system

If you need any kind of help regarding office then visit office.com/setup

Leave a Reply

Your email address will not be published. Required fields are marked *